[ https://issues.apache.org/jira/browse/MODPYTHON-108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Graham Dumpleton closed MODPYTHON-108. -------------------------------------- > Let Cookie support new HttpOnly property to prevent cross-site cookie stealing > ------------------------------------------------------------------------------ > > Key: MODPYTHON-108 > URL: https://issues.apache.org/jira/browse/MODPYTHON-108 > Project: mod_python > Issue Type: Improvement > Components: core > Affects Versions: 3.1.4, 3.3, 3.2.7 > Reporter: Deron Meranda > Assigned To: Graham Dumpleton > Priority: Minor > Fix For: 3.3 > > Attachments: MP108_20060427_grahamd_1.diff > > > The Cookie.Cookie class does not allow the new "httponly" cookie property to > be set. It needs to be added to the valid slots on the cookie metaclass. > Also note that like the "secure" cookie attribute, it is simple a boolean > flag without any value. > The HttpOnly flag was invented by Microsoft but seeing widespread support as > a way to prevent cross-site scripting from stealing cookies using client-side > Javascript. This is especially important for security-sensitive cookies, > such as session keys. > The mod_python session object should also explicitly set the HttpOnly > property on the cookies it creates. > See also these related references: > 1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp > 2. > http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm > 3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993 > 4. > http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.